US Pat. No. 9,177,145

MODIFIED FILE TRACKING ON VIRTUAL MACHINES

Sophos Limited, Abingdon...

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers,
performs the steps of:
identifying one or more positions in a physical memory associated with a virtual machine;
detecting a write operation to at least one of the one or more positions;
tracking the write operation in a cluster map that holds information about one or more modified clusters of the physical memory;
converting the one or more modified clusters of the physical memory to a set of modified files for a file system of the virtual
machine using per-file occupation information provided by the file system;

identifying at least one file on the virtual machine from the set of modified files for the file system;
receiving an on-access request for the virtual machine; and
scanning the virtual machine prior to access to the virtual machine using the physical memory independently of any specific
application programming interfaces (APIs) for the virtualization technology, wherein scanning includes performing a scan of
the at least one file at the file level with a facility independent of a virtualization capability used to manage the virtual
machine, and wherein scanning includes using the set of modified files to limit a scan to a portion of the physical memory
containing the at least one file.

US Pat. No. 9,392,015

ADVANCED PERSISTENT THREAT DETECTION

Sophos Limited, Abingdon...

1. A system for threat detection, comprising:
a gateway in an enterprise, the gateway configured to detect a request for network traffic from an endpoint in the enterprise,
the request including a destination address and the request containing a violation of a network policy for the enterprise,
the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to access a
log of network requests from processes executing on the endpoint to determine a source process on the endpoint that generated
the request on the endpoint, the gateway further configured to map the source process to one or more files on the endpoint;
and

a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship
with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the
enterprise that contain the one or more files mapped to the source process, and to remediate the one or more other endpoints
with respect to the the one or more files.

US Pat. No. 9,210,182

BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM

Sophos Limited, Abingdon...

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers,
performs the steps of:
monitoring an executing computer process for an indication of malicious behavior, wherein the indication of the malicious
behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene, where the gene is stored
for reference in a database and wherein the gene relates to at least one of API calls, registry access, process manipulation,
and file system access;

performing the monitoring step a number of times to collect a plurality of malicious behavior indications;
comparing the plurality of malicious behavior indications to one or more phenotypes that rank combinations of behaviors according
to increasing levels of confidence that a runtime object is executing a behavior pattern comparable to a known family of malware;

triggering a content analysis of the process when the plurality of malicious behavior indications for the process corresponds
to one of the number of phenotypes having a predetermined level of confidence that the process contains a known family of
malware, wherein a type of the content analysis is based on the one of the number of phenotypes, thereby providing a prediction;
and

causing an action based on the prediction.

US Pat. No. 9,112,899

REMEDIAL ACTION AGAINST MALICIOUS CODE AT A CLIENT FACILITY

Sophos Limited, Abingdon...

1. A method for externally initiating remediation against malicious code executing undetected on a client, the method comprising:
originating a request for an interaction with a network site by a client computing facility;
determining by the client computing facility that the interaction is unacceptable based on an acceptance policy for an enterprise;
denying access to the network site by the client computing facility;
receiving, by the client computing facility, an information file from a gateway facility to the enterprise including information
relating to the requested interaction with the network site, wherein the information indicates that the interaction was requested;

interpreting, by the client computing facility, in response to receipt of the information file, the information relating to
the requested interaction;

determining, by the client computing facility, whether the requested interaction was the result of an automatically generated
request by malicious code; and

taking, by the client computing facility, remedial action in the event that the attempted interaction was the result of the
automatically generated request by malicious code.

US Pat. No. 10,135,861

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

Sophos Limited, Abingdon...

1. A method of securing an endpoint against malware that contains sandbox detection mechanisms, the method comprising:receiving a sample of a software object;
performing a first static analysis of the sample using one or more signatures of known malware;
when malware is detected in the first static analysis, rejecting a file containing the sample for use on the endpoint;
when malware is not detected in the first static analysis, performing a reputation analysis of the sample to detect a known, safe software object that can be executed on the endpoint without further analysis;
when a known, safe software object is not detected in the reputation analysis, performing a second static analysis of the sample to detect a component configured to detect one or more aspects of a virtualized environment;
when an anti-sandbox component is detected in the second static analysis, selecting, based on the anti-sandbox component detected in the second static analysis, a least computationally expensive sandbox from a number of different types of sandboxes having different computational costs, and forwarding the sample to the least computationally expensive sandbox for execution and testing; and
when no anti-sandbox component is detected, permitting the software object to be processed on the endpoint.

US Pat. No. 9,104,864

THREAT DETECTION THROUGH THE ACCUMULATED DETECTION OF THREAT CHARACTERISTICS

Sophos Limited, Abingdon...

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers,
performs the steps of:
providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality
of the threat characteristics confirms a presence of the threat;

detecting a change event in a computer run-time process;
testing the change event for a presence of one or more of the plurality of threat characteristics upon detection of the change
event;

storing a detection of one of the plurality of threat characteristics in a second database that accumulates detected characteristics
for the computer run-time process;

scaling the plurality of threat characteristics in the first database to a number of relevant threat characteristics based
upon accumulated detected characteristics in the second database using an inverted threat index that associates each of a
number of particular characteristics with one or more particular threats, and for each one of the one or more particular threats,
further specifies how many particular characteristics are used to identify the one of the one or more particular threats,
thereby updating the first database as threat characteristics are detected in change events; and

identifying the threat when the number of relevant threat characteristics appear in the second database.

US Pat. No. 9,917,859

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

Sophos Limited, Abingdon...

1. A method comprising:
providing a plurality of available sandbox environments including at least one dedicated hardware sandbox environment and
at least one virtual machine sandbox environment;

performing a static analysis of a sample of a software object using one or more signatures of one or more known malware objects;
and

when the static analysis identifies an anti-sandbox component, selecting a dedicated hardware sandbox environment from among
the plurality of available sandbox environments to process the software object for malware testing.

US Pat. No. 9,537,841

KEY MANAGEMENT FOR COMPROMISED ENTERPRISE ENDPOINTS

Sophos Limited, Abingdon...

1. A method comprising:
labeling objects on an endpoint with a labeling scheme in which the objects are either in, wherein the objects conform to
a compliance policy administered for the endpoint from a remote threat management facility, or the objects are out, wherein
the objects do not conform to the compliance policy, thereby providing a plurality of in objects and a plurality of out objects,
the objects including at least one of processes, files, and data;

for in objects of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files
controlled by the file system using a key ring that is remotely managed;

detecting a compromise of the endpoint; and
in response to detecting the compromise, deleting key material cached on the endpoint from the key ring, thereby revoking
access to the encrypted files by the endpoint.

US Pat. No. 9,489,193

METHOD AND SYSTEM FOR PROVIDING SOFTWARE UPDATES TO LOCAL MACHINES

Sophos Limited, Abingdon...

1. A method of updating software in one of a plurality of local computing devices coupled in a communicating relationship
through a local network, each local computing device of the plurality of local computing devices includes a broadcast processor
and an updater processor, the method comprising:
receiving a descriptor file at the one of the plurality of local computing devices from a source outside the local network,
the descriptor file including a hash code for each of a plurality of update sub-files in a software update, the descriptor
file further indicating an order in which the plurality of update sub-files assemble into the software update;

based on the descriptor file, downloading one of the plurality of update sub-files to the one of the plurality of local computing
devices;

broadcasting, by the broadcast processor of the one of the plurality of local computing devices, the one of the plurality
of update sub-files from the one of the plurality of local computing devices to other ones of the plurality of local computing
devices on the local network;

determining, by each broadcast processor of each respective other ones of the plurality of local computing devices, if the
software update is relevant to resident software on the respective other one of the plurality of local computing devices through
matching an identifier for the software update contained in the descriptor file corresponding to the update sub-files to identifiers
for resident software on the respective other one of the plurality of computing devices;

if the software update is relevant to the respective other one of the plurality of local computing devices, comparing, by
the respective other one of the plurality of local computing devices, the hash code for the one of the plurality of update
sub-files to hash codes of update sub-files that are already in its memory, and if the update sub-file is not found to already
be in memory, to store the one of the plurality of update sub-files in its memory;

repeat the broadcasting, determining, and comparing steps for at least one of the remaining update sub-files in the software
update indicated in the descriptor file; and

when all update sub-files of the software update have been broadcast to the other ones of the plurality of local computing
devices for which the software update is relevant, performing, by the respective update processor of the other relevant ones
of the plurality of local computing devices, the steps of:

comparing all the hash codes of the update sub-files newly stored and those previously stored in a local memory of the other
relevant ones of the plurality of local computing devices to hash codes for sub-files identified in the descriptor file to
ensure that all sub-files reside in local memory;

if all sub-files reside in local memory, assembling the software update from the plurality of update sub-files; and
installing the software update on the respective other one of the plurality of local computing devices.

US Pat. No. 9,122,874

METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT

Sophos Limited, Abingdon...

1. A method for operating a scanning facility executing on processing circuitry, the method comprising:
receiving a plurality of client requests for content from a client at the scanning facility, each one of the requests including
an outbound network request from the client with a Uniform Resource Identifier (URI) containing a domain name;

saving contextual information from the requests at the scanning facility, wherein the contextual information includes a changing
character string from a first one of the plurality of requests to a second one of the plurality of requests and wherein the
changing character string further includes at least one change to header information for the requests;

examining the requests for compliance with a management policy at the scanning facility;
retrieving a content item responsive to the request at the scanning facility; and
analyzing, with the scanning facility, the contextual information and a corresponding plurality of content items responsive
to the plurality of requests to detect whether the plurality of content item includes restricted content from a list of restrictions
in the management policy.

US Pat. No. 10,038,702

SERVER DRIFT MONITORING

Sophos Limited, Abingdon...

1. A method comprising:configuring a plurality of servers in a group of similarly configured servers with one or more executables in a known configuration, each one of the plurality of servers configured to provide services across a network to remote clients;
instrumenting each of the plurality of servers to detect changes in the one or more executables in the plurality of servers, and to periodically or continuously provide updates with information about the changes;
receiving the changes in the one or more executables at a threat management facility for an enterprise network that includes the plurality of servers;
detecting a drift in a first one of the plurality of servers, the drift including a deviation of the changes in the one or more executables in the first one of the plurality of servers relative to the changes in the one or more executables in other ones of the plurality of servers, wherein detecting includes detecting by a number of classes of changes each specifying an actor initiating one of the changes; and
initiating a remedial action when the drift in the first one of the plurality of servers deviates beyond a predetermined threshold, wherein the predetermined threshold is a different threshold for each of the number of classes of changes.

US Pat. No. 9,740,859

THREAT DETECTION USING REPUTATION DATA

Sophos Limited, Abingdon...

1. A method comprising:
maintaining reputation data in a memory on each of a plurality of devices, the reputation data for one of the plurality of
devices including a reputation score and a time to live for each of a plurality of executables executed by the one of the
plurality of devices;

updating the reputation data on each of the plurality of devices, wherein updating the reputation data includes adding new
entries for new executables executed by a respective one of the plurality of devices using reputation scores from a remote
threat management facility and wherein updating the reputation data further includes deleting one or more existing entries
from the reputation data using the time to live to expire the existing entries from the reputation data;

monitoring, with the remote threat management facility, each one of the plurality of devices to detect, based on the reputation
data on each of the devices, a variance in access to one or more of the plurality of executables relative to access to the
one or more of the plurality of executables on each other one of the plurality of devices;

triggering an indication of compromise based on the variance in access to one or more of the plurality of executables; and
for the device from the plurality of devices corresponding to the indication of compromise based on the variance in access
to one or more of the plurality of executables, initiating a remedial action in response to the indication of compromise.

US Pat. No. 9,654,489

ADVANCED PERSISTENT THREAT DETECTION

Sophos Limited, Abingdon...

1. A system for threat detection, comprising:
a gateway in an enterprise, the gateway including a memory, and the gateway configured to detect a request for network traffic
from an endpoint in the enterprise, the request including a destination address and the request containing a violation of
a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request,
and to query the endpoint to determine a source process executing on the endpoint that generated the request, the gateway
further configured to map the source process to one or more files on the endpoint; and

a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship
with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the
enterprise that contain the one or more files, and to remediate the one or more other endpoints with respect to the one or
more files.

US Pat. No. 9,386,032

METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT

Sophos Limited, Abingdon...

1. A method for operating a scanning facility executing on processing circuitry, the method comprising:
receiving a request for content from a client at the scanning facility, the request including an outbound network request
from the client with a Uniform Resource Identifier (URI) including a domain for the URI with one or more characteristics including
an age of the domain;

saving contextual information from the request at the scanning facility, wherein the contextual information includes the age
of the domain included in the URI;

examining the request for compliance with a management policy at the scanning facility;
retrieving a content item responsive to the request at the scanning facility; and
analyzing, with the scanning facility, the contextual information from the request and the content item responsive to the
request to detect whether the content item includes restricted content based on the management policy.

US Pat. No. 9,426,179

PROTECTING SENSITIVE INFORMATION FROM A SECURE DATA STORE

Sophos Limited, Abingdon...

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on a threat management
facility, performs steps comprising:
storing a security policy for controlling access by a network endpoint to an encrypted remote secure data store, the security
policy requiring a removable data store locally connected to the network endpoint through an external port to meet one or
more security requirements for identification as a secure data store, wherein the one or more security requirements include
a requirement that the removable data store be encrypted;

receiving an indication at the threat management facility that an endpoint has access to the encrypted remote secure data
store;

auditing the endpoint to determine whether a security parameter of a first removable data store locally connected to the endpoint
through the external port is compliant with the one or more requirements for identification as a secure data store; and

causing the endpoint to implement an action to regulate dissemination by the endpoint of data from the encrypted remote secure
data store in response to a determination that the security parameter of the first removable data store locally connected
to the endpoint through the external port is non-compliant, the action comprising disabling network communications other than
communication between the threat management facility and the endpoint, including at least communications between the endpoint
and the encrypted remote secure data store.

US Pat. No. 9,390,263

USE OF AN APPLICATION CONTROLLER TO MONITOR AND CONTROL SOFTWARE FILE AND APPLICATION ENVIRONMENTS

Sophos Limited, Abingdon...

1. A computer program product for operating an application controller on an endpoint in an enterprise network, the computer
program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs
the steps of:
a. in response to a selection of a file, retrieving a reputation of the file stored in metadata for the file, wherein the
reputation includes at least one access and security parameter for the file and wherein the reputation is remotely stored
in a database independent of the application controller and accessible by the application controller, the access and security
parameter corresponding to the file being a secure encrypted file or an insecure unencrypted file;

b. in response to the access and security parameter, selecting a software application from at least two software applications
in an application environment on the endpoint to open the file based on a security configuration of each of the at least two
software applications and a corresponding determination of whether the file is a secure encrypted file or an insecure unencrypted
file, wherein one of the at least two software applications is a first software application configured to access secure encrypted
files and another one of the at least two software applications is a second software application not configured to access
secure encrypted files, and wherein the application controller can control access to encrypted files on the endpoint; and

c. launching the selected software application to open the file and access the file in accordance with the security configuration
for the selected software application.

US Pat. No. 9,967,271

METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT

Sophos Limited, Abingdon...

1. A method for operating a scanning facility executing on processing circuitry, the method comprising:receiving a request for content from a client at the scanning facility, the request including an outbound network request from the client with a Uniform Resource Identifier (URI) including a domain for the URI;
saving contextual information from the request at the scanning facility, wherein the contextual information includes, in at least a portion of the URI, an alphanumeric pattern associated with malware;
examining the request for compliance with a management policy at the scanning facility;
retrieving a content item responsive to the request at the scanning facility; and
analyzing, with the scanning facility, the contextual information from the request and the content item responsive to the request to detect whether the content item includes restricted content based on the management policy.

US Pat. No. 10,122,687

FIREWALL TECHNIQUES FOR COLORED OBJECTS ON ENDPOINTS

Sophos Limited, Abingdon...

1. A method comprising:providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint;
labeling data on the endpoint as secure data for type-dependent processing;
monitoring the application executing on the endpoint;
on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection;
applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data;
communicating the reportable event through the network from the endpoint to the application firewall; and
limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event.

US Pat. No. 9,984,248

BEHAVIORAL-BASED CONTROL OF ACCESS TO ENCRYPTED CONTENT BY A PROCESS

Sophos Limited, Abingdon...

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (3) the process is identified as exposed when the process opens a first file that is identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process; and
restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.

US Pat. No. 9,967,283

NORMALIZED INDICATIONS OF COMPROMISE

Sophos Limited, Abingdon...

1. A method comprising:detecting an action on an endpoint;
normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action;
creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection;
collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and
applying a rule to identify a reportable event based on the plurality of observations and the relationship.

US Pat. No. 9,928,366

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

Sophos Limited, Abingdon...

2. A method for malware detection comprising:instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the first endpoint, wherein the number of causal relationships include at least one of a data flow, a control flow, or a network flow;
selecting a first set of logical locations from the plurality of logical locations;
recording a sequence of events causally relating the number of computing objects at the first set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph; and
remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state.

US Pat. No. 9,609,008

METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT

Sophos Limited, Abingdon...

1. A method for operating a scanning facility executing on processing circuitry, the method comprising:
receiving a request for content from a client at the scanning facility, the request including an outbound network request
from the client with a Uniform Resource Identifier (URI) including a domain for the URI;

saving contextual information from the request at the scanning facility, wherein the contextual information includes whether
the URI is associated with URI redirection;

examining the request for compliance with a management policy at the scanning facility;
retrieving a content item responsive to the request at the scanning facility; and
analyzing, with the scanning facility, the contextual information from the request and the content item responsive to the
request to detect whether the content item includes restricted content based on the management policy.

US Pat. No. 9,934,025

METHOD AND SYSTEM FOR PROVIDING SOFTWARE UPDATES TO LOCAL MACHINES

Sophos Limited, Abingdon...

1. A method of updating software among computers in a local network, the method comprising:receiving a descriptor file at a first device of a plurality of local computing devices coupled in a communicating relationship to one another through a local network that supports broadcast communications, wherein the descriptor file includes a hash code for each one of a plurality of update sub-files and indicates an order in which the plurality of update sub-files assemble into a software update;
determining if the software update is relevant to resident software on the first device by matching an identifier for the software update contained in the descriptor file to an identifier for resident software on the first device;
if the software update is relevant to resident software on the first device, determining that one of the plurality of update sub-files is not stored in a memory of the first device based on a comparison of a corresponding one of the hash codes included in the descriptor file with the hash code for one or more of the plurality of update sub-files currently stored in the memory;
downloading the one of the plurality of update sub-files to the first device;
broadcasting the one of the plurality of update sub-files from the first device to other ones of the plurality of local computing devices using a broadcast protocol of the local network; and
comparing the hash codes of the update sub-files provided in the descriptor file to the hash codes for sub-files stored in memory of the first device and, if all sub-files are found to be in the memory of the first device, assembling the software update from the plurality of update sub-files and installing the software update.

US Pat. No. 9,852,292

USE OF AN APPLICATION CONTROLLER TO MONITOR AND CONTROL SOFTWARE FILE AND APPLICATION ENVIRONMENTS

Sophos Limited, Abingdon...

1. A system, comprising:
a processor;
a non-transitory computer readable medium comprising instructions that when executed by the processor, performs the steps
of:

in response to a selection of a file, determining a reputation of the selected file based on the selected file's metadata
relating to an originating location of the file, wherein the originating location is selected from a group including at least
one network location and at least one local file location;

selecting a secure software application of two or more software applications to open the file for a first value of the reputation
and selecting an insecure software application of the two or more software applications to open the file for a second value
of the reputation, wherein the secure software application uses a decryption key to access encrypted content in files from
the originating location, and the insecure software application does not have access to the decryption key when opening files
from the originating location; and

launching the selected software application to open the file, wherein launching the selected software application includes
decrypting the file with the decryption key when the selected software application is the secure software application and
opening the file without the decryption key when the selected software application is the insecure software application.

US Pat. No. 9,571,452

DEPLOYING A SECURITY POLICY BASED ON DOMAIN NAMES

Sophos Limited, Abingdon...

1. A method for deploying a security policy based on domain names comprising:
receiving a network request from an endpoint at a firewall, the network request including an address for a remote resource;
when the address includes a domain name, applying the security policy to the network request based upon the domain name; and
when the address includes an Internet Protocol (IP) address, performing the steps of:
transmitting a hypertext transfer protocol (HTTP) GET request from the firewall to the IP address;
receiving a response including a header;
extracting a second domain name associated with the IP address from the header; and
applying the security policy to the network request based upon the second domain name.

US Pat. No. 10,122,753

USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS

Sophos Limited, Abingdon...

1. A system comprising:an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, the process, during execution, opening a data file for manipulation, and the endpoint configured to evaluate a local reputation of the file using one or more local criteria including a first criterion based on a user executing the process and to evaluate the local reputation of the file further based on evaluating one or more of an origin of the data file, evaluating a reputation of an environment for the data file, evaluating a reputation of a user that created the data file, and evaluating a reputation of the process using the data file;
a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and
a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and the violation notification from the gateway, wherein the threat management facility is configured to respond to the violation notification by determining a remedial action for the file on the endpoint based upon the local reputation evaluated by the endpoint using the first criterion based on the user executing the process from the file, the global reputation of the file determined by the threat management facility, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.

US Pat. No. 9,860,277

NORMALIZED INDICATIONS OF COMPROMISE

Sophos Limited, Abingdon...

1. A method comprising:
detecting an action on an endpoint;
normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint,
thereby providing a normalized action;

creating an observation for the normalized action using a predetermined schema that organizes the observation into a first
identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors
that characterize the observation with information selected for relevance to threat detection;

collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one
of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater
granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least
one attribute provided by a source other than the hardware and software platform; and

applying a rule to identify a reportable event based on the plurality of observations and the relationship.

US Pat. No. 9,419,989

THREAT DETECTION USING URL CACHE HITS

Sophos Limited, Abingdon...

1. A method comprising:
maintaining a uniform resource locator (URL) cache on each of a plurality of devices, the URL cache including a reputation
score and a time to live for each of a plurality of URLs;

updating the URL cache on each of the plurality of devices using reputation scores from a remote threat management facility
to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL
cache;

monitoring the URL cache of each one of the plurality of devices with the remote threat management facility to detect a variance
in one of the URL caches relative to each other one of the URL caches;

triggering an indication of compromise based on the variance; and
initiating a remedial action for the device storing the one of the URL caches in response to the indication of compromise.

US Pat. No. 9,860,274

POLICY MANAGEMENT

Sophos Limited, Abingdon...

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that,
when executing on a client device, performs the steps of:
receiving a policy at the client device for use by the client device, the policy including a plurality of rules, the plurality
of rules including a different rule for each corresponding application category of a plurality of application categories,
the application categories including at least e-mail and browser, wherein each application category in the plurality of application
categories is associated with a class of applications, with each application in the class of applications having one or more
common application characteristics;

storing the policy on the client device;
monitoring activity on the client device for a request to execute a requested application;
when the request is detected, performing the steps of:
interrupting a processing of the request by the client device;
determining a combination of genes for the requested application, wherein the genes identify functional blocks of the requested
application, wherein the functional blocks are selected for behavioral analysis and are representative of at least one function
and at least one execution flow of the requested application; and

categorizing the requested application into one of the classes of applications based upon behavior indicated by the at least
one function and at least one execution flow represented in the combination of genes; and

conditionally authorizing or prohibiting execution of the requested application on the client device according to one or more
of the rules of the policy applicable to the one of the classes of the requested application.

US Pat. No. 9,734,125

SYSTEMS AND METHODS FOR ENFORCING POLICIES IN THE DISCOVERY OF ANONYMIZING PROXY COMMUNICATIONS

Sophos Limited, Abingdon...

1. A computer program product for enforcing policies with respect to anonymizer proxy communications, the computer program
product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on
one or more computers, performs the steps of:
analyzing, at a web gateway for an enterprise network, website HTML content that is retrieved based on a website request from
a computing facility within the enterprise network by looking for patterns within the website HTML content that are similar
to patterns found in a known non-proxy website's HTML content through inspecting website page structure and the website HTML
content delivered;

in response to finding a similar pattern between the requested website and the known non-proxy website, comparing the requested
website's identifier with an identifier of the known non-proxy website;

in response to finding a mismatch between the two website identifiers, categorizing at least a portion of the requested website's
identifier as associated with an anonymizer proxy used to indirectly access network content outside the enterprise network
while obscuring a sender or receiver of information, wherein categorizing at least a portion of the requested website's identifier
as a suspect proxy website identifier involves determining a longest common portion of URLs requested of the requested website
and categorizing the longest common portion as indicative of a proxy website; and

blocking access by the computing facility to content at the requested website's identifier according to the policy for anonymizer
proxy communications.

US Pat. No. 9,621,524

CLOUD-BASED KEY MANAGEMENT

Sophos Limited, Abingdon...

1. A method comprising:
providing an administrator password for a host of an enterprise network;
retrieving a company private key for the enterprise network to an administrative host using a call authenticated with a cryptographic
hash of the administrator password, wherein the company private key is received from the host as a private key encrypted with
the administrative administrator password;

selecting an endpoint within the enterprise network;
creating a rollout password for the endpoint;
creating an endpoint key pair for the endpoint, the endpoint key pair comprising a public endpoint key signed with the company
private key and a private endpoint key encrypted with the rollout password;

transmitting the endpoint key pair to a remote computing resource with a call authenticated using a cryptographic hash of
the administrator password;

transmitting a cryptographic hash of the rollout password to the remote computing resource with a second call using a cryptographic
hash of the administrator password; and

providing the rollout password to a user of the endpoint; and
providing the endpoint key pair from the remote computing resource to the endpoint based on a call from the endpoint to the
remote computing resource authenticated using the cryptographic hash of the rollout password.

US Pat. No. 9,571,512

THREAT DETECTION USING ENDPOINT VARIANCE

Sophos Limited, Abingdon...

1. A method comprising:
selecting a metric that objectively and quantitatively characterizes an endpoint property, the metric representing changes
made to files on the endpoint;

monitoring a change in the metric on a group of endpoints over time;
creating a model that evaluates whether a new value for the metric at a point in time is within a range of expected values
for the metric at the point in time, the model including a statistical model based on a variance that characterizes a range
of expected values, and a periodicity that characterizes a change in the range of expected values over time:

instrumenting an endpoint to detect a current value for the metric at a current time;
applying the model to determine whether the current value is within the range of expected values for the metric at the current
time; and

implementing a remedial action for the endpoint when the current value is not within the range of expected values for the
metric at the current time.

US Pat. No. 9,965,627

LABELING OBJECTS ON AN ENDPOINT FOR ENCRYPTION MANAGEMENT

Sophos Limited, Abingdon...

1. A method comprising:labeling each of a plurality of processes on an endpoint with a labeling scheme in which a process is either in, wherein the process conforms to a compliance policy administered for the endpoint from a remote threat management facility, or the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;
labeling each of a plurality of files on the endpoint as either in, wherein the file is encrypted using a remotely managed key ring, or the file is out, wherein the file is not encrypted using the remotely managed key ring, thereby providing a plurality of in files and a plurality of out files;
providing access to the remotely managed key ring by the plurality of in processes, thereby facilitating access to the plurality of in files by the plurality of in processes;
changing a label for one of the plurality of processes from in to out in response to an observed action that exposes the process to an object external to the endpoint, thereby providing a relabeled process; and
revoking access by the relabeled process to the plurality of in files, thereby preventing the relabeled process from opening additional ones of the plurality of in files and preventing the relabeled process from creating a new in file.

US Pat. No. 9,824,090

EMULATING TRANSPARENT FILE PROCESSING

Sophos Limited, Abingdon...

1. A method for emulating transparent file processing, the method comprising:
receiving a file operation for a file, the file operation being a user-space file operation specifying a label for a volume
and a path specifying a unique location in a file system on the volume;

determining a type for the path, wherein the type is selected from a group consisting of an existing folder in the file system,
a physical device, and a synchronized folder for a remote service;

selecting a recipe for executing the file operation based upon the type, thereby providing a selected recipe, wherein the
selected recipe includes overmounting when the type includes the existing folder, remounting when the type includes the physical
device, and creating a new label when the type includes a synchronized folder; and

executing the file operation on the file with the selected recipe transparently to a user process that initiated the file
operation, wherein the recipe encrypts the file when the file is moved to the path by the file operation and decrypts the
file when the file is moved from the path by the file operation.

US Pat. No. 9,800,599

METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT

Sophos Limited, Abingdon...

1. A method for operating a scanning facility executing on processing circuitry, the method comprising:
receiving a request for content from a client at the scanning facility, the request including an outbound network request
from the client with a Uniform Resource Identifier (URI) including a domain for the URI;

saving contextual information from the request at the scanning facility, wherein the contextual information includes a character
string associated with an improperly typed URI of a registered domain name for an organization;

examining the request for compliance with a management policy at the scanning facility;
retrieving a content item responsive to the request at the scanning facility; and
analyzing, with the scanning facility, the contextual information from the request and the content item responsive to the
request to detect whether the content item includes restricted content based on the management policy.

US Pat. No. 9,992,228

USING INDICATIONS OF COMPROMISE FOR REPUTATION BASED NETWORK SECURITY

Sophos Limited, Abingdon...

1. A method comprising:collecting a plurality of indications of compromise from an indication of compromise monitor on an endpoint, each one of the indications of compromise based upon one or more actions taken by one or more processes executing on the endpoint and observable by the indication of compromise monitor on the endpoint and each one of the indications of compromise including one or more descriptors and a description of one or more objects related to the one or more actions at least one of the one or more descriptors including a category of the one or more objects related to the one or more actions;
identifying a low-reputation behavior indicating a threat level associated with the plurality of indications of compromise based upon a quantity of other endpoints that have seen the plurality of indications of compromise and a context for the one or more actions on the endpoint, wherein the context for the one or more actions on the endpoint includes a reputation of executables on the endpoint;
creating a coloring rule for the low-reputation behavior according to the threat level based upon an occurrence of the plurality of indications of compromise;
receiving the coloring rule at a security facility on the endpoint; and
applying the coloring rule with the security facility to color low reputation objects.

US Pat. No. 9,967,282

LABELING COMPUTING OBJECTS FOR IMPROVED THREAT DETECTION

Sophos Limited, Abingdon...

1. A method comprising:processing a first object on an endpoint, the first object from a location external to the endpoint;
in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying the first object as exposed to external data;
at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object;
applying a rule dependent on the descriptor, including the at least one attribute identifying the first object as exposed to external data, in response to a second observed action of the second object to detect a reportable event based in part on an exposure of the second object to the external data; and
transmitting information to a threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context.

US Pat. No. 10,063,373

KEY MANAGEMENT FOR COMPROMISED ENTERPRISE ENDPOINTS

Sophos Limited, Abingdon...

1. A method comprising:labeling processes on an endpoint with a labeling scheme in which the processes are either in, wherein the processes conform to a compliance policy administered for the endpoint from a remote threat management facility, or the processes are out, wherein the processes do not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;
for in processes of the endpoint, providing access to encrypted files through a file system, with access to the encrypted files controlled by the file system and limited to processes in compliance with the compliance policy;
detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and
in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption of the encrypted files through the file system for the in processes, thereby revoking access to the encrypted files by the processes executing on the endpoint.

US Pat. No. 9,967,267

FORENSIC ANALYSIS OF COMPUTING ACTIVITY

Sophos Limited, Abingdon...

3. A method for forensic analysis for computer processes, the method comprising:instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects, and to record a sequence of events causally relating the number of computing objects;
detecting a security event associated with one of the number of computing objects, wherein detecting the security event includes detecting a potential data leakage;
in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the number of computing objects associated with the security event to one or more preceding ones of the number of computing objects;
applying a cause identification rule to the one or more preceding ones of the number of computing objects and the number of causal relationships while traversing the event graph to identify one of the number of computing objects as a cause of the security event;
traversing the event graph forward from the cause of the security event to identify one or more other ones of the number of computing objects affected by the cause; and
taking an action to remediate one or more of the identified computing objects.

US Pat. No. 9,774,613

SERVER DRIFT MONITORING

Sophos Limited, Abingdon...

1. A method comprising:
configuring a plurality of servers in a group of similarly configured servers with one or more executables in a known configuration,
each one of the plurality of servers configured to provide services across a network to remote clients;

instrumenting each of the plurality of servers to detect changes in the one or more executables in the plurality of servers,
and to periodically or continuously provide updates with information about the changes;

receiving the changes in the one or more executables at a threat management facility for an enterprise network that includes
the plurality of servers;

filtering the changes to exclude one or more changes by a valid user of one of the plurality of servers;
detecting a drift in a first one of the plurality of servers, the drift including a deviation of the changes in the one or
more executables in the first one of the plurality of servers relative to the changes in the one or more executables in other
ones of the plurality of servers; and

initiating a remedial action when the drift in the first one of the plurality of servers deviates beyond a predetermined threshold.

US Pat. No. 9,967,264

THREAT DETECTION USING A TIME-BASED CACHE OF REPUTATION INFORMATION ON AN ENTERPRISE ENDPOINT

Sophos Limited, Abingdon...

1. A method comprising:detecting an action at an endpoint;
transmitting a first indication of compromise from the endpoint to a remote threat management facility, the first indication of compromise including a description of the action, wherein the description of the action includes an identifier of a process, executing on the endpoint, that took the action, wherein the description of the action further includes a second identifier of an object programmatically associated with the process through the action;
at the endpoint, receiving from the remote threat management facility a reputation score for the action and a time to live for the action, the reputation score based on the description of the action including the process and the object programmatically associated with the process through the action;
caching the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live;
accumulating a plurality of the descriptions and reputation scores that have not expired in the event cache;
expiring at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live;
generating a threat detection when a pattern of the descriptions and reputation scores in the event cache indicates malicious software operating on the endpoint; and
communicating the threat detection to the threat management facility.

US Pat. No. 9,942,263

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

Sophos Limited, Abingdon...

1. A method for configuring a sandbox for malware testing, the method comprising:performing a reputation analysis of a sample of a software object to detect a known, safe software object that can be executed without further analysis; and
when the software object is determined, using the reputation analysis, to be other than safe,
performing the steps of:
determining a configuration of a target endpoint for the software object;
configuring a first sandbox to match the configuration of the target endpoint;
forwarding the software object to the first sandbox for execution; and
transferring the software object to at least one additional sandbox for further testing when the software object cannot confidently be categorized as safe or unsafe by the first sandbox.

US Pat. No. 9,917,851

INTRUSION DETECTION USING A HEARTBEAT

Sophos Limited, Abingdon...

1. A method of operating a gateway for an enterprise network, the method comprising:
receiving, at a gateway logically or physically interposed between an endpoint in the enterprise network and a second network,
the enterprise network separate from the second network and the gateway configured to pass network traffic between the enterprise
network and the second network, a heartbeat from the endpoint associated with the enterprise network, the heartbeat addressed
to the gateway, the heartbeat including a signal communicated periodically from the endpoint to the gateway, and the heartbeat
containing cryptographically secured information including at least information to indicate a security health status of the
endpoint and identifying information that identifies the endpoint providing the heartbeat to the gateway independently from
a source address for the heartbeat;

detecting an interruption of the heartbeat at the gateway based upon an error in or omission of an expected heartbeat;
following detecting the interruption of the heartbeat at the gateway, receiving, by the gateway, network traffic other than
the heartbeat from the endpoint, the network traffic addressed for forwarding by the gateway via the second network to a second
destination address outside the gateway from the enterprise network; and

responding to the interruption of the heartbeat in combination with the network traffic received following the interruption
by treating the endpoint as a compromised network asset and blocking network traffic from the endpoint.

US Pat. No. 9,779,433

SYSTEMS AND METHODS FOR DYNAMIC VENDOR AND VENDOR OUTLET CLASSIFICATION

Sophos Limited, Abingdon...

1. A method for dynamic vendor classification, said method comprising:
receiving website content from each of a plurality of websites at a dynamic vendor classification system, wherein the website
content represents at least a portion of the plurality of websites' construction, forming a plurality of website content;

normalizing the plurality of website content based upon hypertext markup language tags, encoded content, and a visual comparison
of screen shots for each one of the plurality of website content, thereby providing normalized content;

analyzing the normalized content using a processor based on a congruence analysis to identify content as congruent when the
normalized content is the same, and a similarity analysis to identify content as similar when the normalized content is made
up of substantially the same components but is not more than 90% the same;

identifying a vendor for each of the plurality of websites by comparing the categorized websites to stored data for known
vendors;

receiving a request from a customer to access one of the plurality of websites at a dynamic vendor classification module of
the dynamic vendor classification system;

determining whether a vendor of the one of the plurality of websites is trusted, not trusted, or uncertain using a first set
of rules when the one of the plurality of websites is congruent to a second one of the plurality of websites and a second
set of rules when the one of the plurality of websites is similar to the second one of the plurality of websites, wherein
the second set of rules for similar websites includes at least one rule for evaluating WHOIS registry information; and

controlling access to the one of the plurality of websites by the customer based upon whether the vendor is trusted, not trusted,
or uncertain.

US Pat. No. 10,313,367

METHOD AND SYSTEM FOR NETWORK ACCESS CONTROL BASED ON TRAFFIC MONITORING AND VULNERABILITY DETECTION USING PROCESS RELATED INFORMATION

Sophos Limited, Abingdon...

1. A system for network access control based on traffic monitoring and vulnerability detection using process related information, the system comprising:computer executable code embodied in a non-transitory computer readable medium that, when executing one or more processors provide a plurality of process intercepting units, a pattern matching unit, and an intrusion prevention unit,
a plurality of devices for receiving at least one connection request from a process running on a host, each of the plurality of devices comprising a process intercepting unit of the plurality of process intercepting units configured for extracting the process related information and forwarding information including one or more of process related information, connection information, and network packet information,
the pattern matching unit configured for receiving the information from the process intercepting unit and forwarding the information; and
the intrusion prevention unit configured for receiving the information from the pattern matching unit, the intrusion prevention unit including a processing unit and a database, the database including a plurality of signatures defining a set of rules to detect attacks or intrusive activities on a network that can occur through the process, the plurality of signatures prepared based on information relating to the process, the intrusion prevention unit further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities, establish a verification report based on the known vulnerability, and send the verification report to the pattern matching unit,
wherein the pattern matching unit is further configured to receive the verification report from the intrusion prevention unit, verify whether the verification report is applicable to the process associated with network packet by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database, and send an authorization decision to the process intercepting unit regarding allowing continuing or blocking of the connection request from the process running on the host.

US Pat. No. 10,181,034

VIRTUAL MACHINE SECURITY

Sophos Limited, Abingdon...

1. A computer program product for managing malware in a virtualized environment, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:detecting an access to a file on a virtual machine;
transmitting the file to a secure virtual machine hosted by a hypervisor for the virtual machine;
analyzing the file with an antivirus scanner on the secure virtual machine;
when the antivirus scanner identifies a known malware component, performing the steps of:
selecting one of a plurality of tools for malware-specific remediation of the known malware component, wherein the plurality of tools include multiple configurations of a generic removal tool;
determining one or more actions required to remediate the known malware component; and
configuring the generic removal tool to perform the one or more actions, thereby providing a selected tool;
transmitting the selected tool to a security agent on the virtual machine;
receiving the selected tool at the security agent on the virtual machine;
executing the selected tool by the security agent on the virtual machine;
receiving an execution status for the selected tool at the secure virtual machine; and
when the execution status indicates a success for a remediation, transmitting a tool removal instruction to the security agent on the virtual machine, the tool removal instruction initiating removal of the selected tool, by the security agent, from the virtual machine, the removal of the selected tool freeing up at least one of memory or processing capacity on the virtual machine.

US Pat. No. 10,348,697

PORTABLE ENCRYPTION FORMAT

Sophos Limited, Abingdon...

1. A computer program product for creating portable encrypted content comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on an endpoint, performs the steps of:receiving a selection of a file for encryption from a user;
requesting a token uniquely identifying a recipient of the file different than the user from a remote identity and access management system to which the recipient can authenticate using authentication credentials;
receiving the token;
transmitting the token to a remote key server;
requesting a cryptographic key associated with the token from the remote key server, the cryptographic key including an encryption key and a decryption key;
receiving the cryptographic key from the remote key server;
receiving a password from the user for local decryption of the file;
encrypting the file with the encryption key to create an encrypted file;
encrypting the decryption key to create an object that can be decrypted using the password to recover the decryption key; and
combining the encrypted file, the object containing the decryption key, application logic providing a user interface and decryption logic for accessing the file to provide a portable encrypted data object, wherein the user interface provides a first mode of accessing the file by supplying the password to locally decrypt the decryption key and a second mode of accessing the file by retrieving the decryption key from the remote key server using the token.

US Pat. No. 10,333,989

POLICY MANAGEMENT

Sophos Limited, Abingdon...

1. A method comprising:organizing a number of applications into a number of application types;
providing a policy management service for an enterprise network, the policy management service configured to provide protection services to one or more endpoints in the enterprise network based on the application types;
detecting an application executing on one of the endpoints;
disassembling a binary executable for the application to recreate functional blocks of code for the application;
grouping a number of the functional blocks into a phenotype;
categorizing the application into one of the application types based on the phenotype; and
applying the protection services to the endpoint based on the one of the application types of the application.

US Pat. No. 10,284,598

HONEYPOT NETWORK SERVICES

Sophos Limited, Abingdon...

1. A non-transitory computer-readable medium comprising instructions executable by a processor for detecting a compromised device on a network, the instructions when executed causing the processor to perform steps, comprising:at a threat management facility, monitor network activity within an enterprise network;
detect network activity indicative of network service discovery by a first device within the enterprise network, the network activity comprising requests to the same port at different addresses accessible through the enterprise network;
detect traffic from the first device to an unassigned network address within the enterprise network;
in response to detecting the network activity comprising requests made to the same port at different addresses and detecting traffic directed from the first device to the port at an unassigned network address within the enterprise network, present a honeypot network service with a known security flaw specific to the service typically provided at the port to the first device within the enterprise network by redirecting the traffic directed to the port at the unassigned network address to the honeypot network service for a limited period of time;
monitor communication between the first device and the honeypot network service to determine whether the monitored communication is indicative of compromise of the first device;
determine that the first device is compromised based on the monitored communication between the first device and the honeypot network service; and
based on a determination that the first device is compromised, initiate measures to remediate the first device.

US Pat. No. 10,263,966

PERIMETER ENFORCEMENT OF ENCRYPTION RULES

Sophos Limited, Abingdon...

1. A computer program product for securing network traffic comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:receiving an electronic mail message from a sender for transmittal to a recipient different from the sender, the electronic mail message including an attachment containing at least one file;
removing the attachment from the electronic mail message;
wrapping the attachment into a portable encrypted container that contains an encrypted instance of the file, an encrypted instance of a decryption key to decrypt the file, and program code providing a user interface that supports a first mode of decryption using remote resources and authentication credentials for the recipient and a second mode of decryption based on local input of a password for decrypting the decryption key;
attaching the portable encrypted container to the electronic mail message; and
transmitting the electronic mail message and the portable encrypted container to an electronic mail gateway for communication from the sender to the recipient.

US Pat. No. 10,333,990

POLICY MANAGEMENT

Sophos Limited, Abingdon...

1. A computer program product comprising non-transitory computer executable code embodied in a computer readable medium that, when executing on one or more computing devices, performs the steps of:organizing a number of applications into a number of application types including at least a messaging category, an electronic mail category, a word processing category, a database category, and a browser category;
providing a policy management service for an enterprise network, the policy management service configured to provide protection services to one or more endpoints of the enterprise network by restricting usage of endpoint resources based on the number of application types and a connection type;
detecting an application executing on one of the endpoints;
identifying the connection type for the one of the endpoints;
determining one of the number of application types for the application by disassembling binary code of the application to recreate one or more functional blocks of the application and matching the one or more functional blocks to a phenotype representing one of the number of application types; and
applying the protection services to conditionally limit network access by the application on the endpoint based on the one of the number of application types and the connection type for the one of the endpoints.

US Pat. No. 10,474,448

METHOD AND SYSTEM FOR PROVIDING SOFTWARE UPDATES TO LOCAL MACHINES

Sophos Limited, Abingdon...

1. A method of updating a threat management policy among computers in a local network, the method comprising:receiving a descriptor file at a first device of a plurality of local computing devices coupled in a communicating relationship to one another through a local network that supports broadcast communications, the descriptor file including a hash code for each of a plurality of update sub-files and indicating an order in which the plurality of update sub-files assemble into a threat management policy update;
determining if the threat management policy update is relevant to a resident threat management policy on the first device based on matching an identifier for the threat management policy update contained in the descriptor file to an identifier for the resident threat management policy on the first device;
if the threat management policy update is relevant to the resident threat management policy on the first device, determining that one of the plurality of update sub-files is not stored in a memory of the first device based on a comparison of a corresponding one of the hash codes included in the descriptor file with the hash code for one or more of the plurality of update sub-files currently stored in the memory;
downloading the one of the plurality of update sub-files to the first device;
broadcasting the one of the plurality of update sub-files from the first device to other ones of the plurality of local computing devices using a broadcast protocol of the local network; and
comparing the hash codes of the update sub-files provided in the descriptor file to the hash codes for sub-files stored in the memory of the first device and, if all sub-files are found to be in the memory of the first device, assembling the threat management policy update from the plurality of update sub-files and installing the threat management policy update.

US Pat. No. 10,447,708

SERVER DRIFT MONITORING

Sophos Limited, Abingdon...

1. A method comprising:configuring a plurality of servers in a group of similarly configured servers with one or more executables in a known configuration, each one of the plurality of servers configured to provide services across a network to remote clients;
instrumenting each of the plurality of servers to detect changes in a number of network connections by the plurality of servers, and to periodically or continuously provide updates with information about the changes;
receiving the changes in the number of network connections at a threat management facility for an enterprise network that includes the plurality of servers;
detecting a drift in a first one of the plurality of servers, the drift including a deviation of the changes in the number of network connections by the first one of the plurality of servers relative to the changes in the number of network connections by other ones of the plurality of servers, wherein detecting includes detecting by a number of classes of changes each specifying an actor initiating one of the changes; and
initiating a remedial action when the drift in the first one of the plurality of servers deviates beyond a predetermined threshold, wherein the predetermined threshold is a different threshold for each of the number of classes of changes.

US Pat. No. 10,417,418

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

Sophos Limited, Abingdon...

2. A method for malware detection comprising:instrumenting an endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the endpoint;
recording a sequence of events causally relating the number of computing objects at the first set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph to identify a compromised security state of the endpoint; and
when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state.

US Pat. No. 10,417,419

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

Sophos Limited, Abingdon...

5. A method for malware detection comprising:instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the first endpoint;
excluding, from the first set of logical locations, at least one logical location associated with a known, good process;
recording a sequence of events causally relating the number of computing objects at the first set of logical locations excluding the at least one logical location associated with the known, good process;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph; and
remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state.

US Pat. No. 10,524,130

THREAT INDEX BASED WLAN SECURITY AND QUALITY OF SERVICE

Sophos Limited, Abingdon...

1. A computer-implemented method comprising:receiving a request from a client device connected to a network via a wireless link, wherein the request is communicated from the client device over the wireless link to a wireless access point;
determining, by the wireless access point, a threat index value for the client device, wherein the threat index value is determined based on one or more radio frequency (RF) characteristics of the client device communicating over the wireless link and a reliability index value associated with the client device, wherein the one or more RF characteristics comprise an angle of arrival, a beamforming characteristic, or a received signal strength indicator (RSSI);
determining one or more security policies associated with one or more respective network resources, wherein each security policy applies one or more rules for allocating one of the network resources; and
determining allocation of one or more of the network resources to the client device based on the one or more security policies and the threat index value.

US Pat. No. 10,489,588

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

Sophos Limited, Abingdon...

2. A method for malware detection comprising:instrumenting an endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the endpoint;
recording a sequence of events causally relating the number of computing objects at the first set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph to identify a compromised security state of the endpoint; and
when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state.

US Pat. No. 10,469,261

KEY MANAGEMENT FOR COMPROMISED ENTERPRISE ENDPOINTS

Sophos Limited, Abingdon...

1. A method comprising:labeling processes on an endpoint with a labeling scheme in which the processes are either in processes or out processes, the in processes conforming to a compliance policy administered for the endpoint from a remote threat management facility, and the out processes not conforming to the compliance policy;
for in processes of the endpoint, providing access to encrypted files stored on a remote cloud resource, with access to the encrypted files stored on the remote cloud resource limited to the in processes;
detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and
in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption, by the endpoint, of the encrypted files stored on the remote cloud resource.

US Pat. No. 10,469,522

KEY THROTTLING TO MITIGATE UNAUTHORIZED FILE ACCESS

Sophos Limited, Abingdon...

1. A computer program product for throttling access to encrypted files in response to potentially malicious activity, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:encrypting a plurality of files on an endpoint to provide a plurality of encrypted files that can be decrypted with a key;
providing a file system for accessing the plurality of files with one or more processes executing on the endpoint, wherein the file system includes a file system extension that functions to conditionally provide decryption of the encrypted files based on a current security state of the endpoint, the file system extension using the key to decrypt a requested one of the plurality of files in response to a request from one of the one or more processes for the requested one of the files;
monitoring access to the plurality of files by the one or more processes for a potential indication of compromise; and
limiting a rate at which the file system extension uses keys to decrypt the files when a pattern of access to the files indicates potentially malicious automated file access.

US Pat. No. 10,460,105

ENDPOINT MALWARE DETECTION USING AN EVENT GRAPH

Sophos Limited, Abingdon...

5. A method for malware detection comprising:instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the first endpoint;
excluding, from the first set of logical locations, at least one logical location associated with a known, good process;
recording a sequence of events causally relating the number of computing objects at the first set of logical locations excluding the at least one logical location associated with the known, good process;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph; and
remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state.

US Pat. No. 10,382,459

THREAT DETECTION USING A TIME-BASED CACHE OF REPUTATION INFORMATION ON AN ENTERPRISE ENDPOINT

Sophos Limited, Abingdon...

1. A method comprising:detecting an action at an endpoint;
receiving, from a threat management facility on the endpoint, a reputation score for the action and a time to live for the action, the reputation score based on a description of the action including a process, executing on the endpoint, that took the action and an object programmatically associated with the process through the action;
caching the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live;
accumulating a plurality of the descriptions and reputation scores that have not expired in the event cache;
expiring at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live;
generating a threat detection when a pattern of the descriptions and reputation scores in the event cache indicate malicious software operating on the endpoint; and
communicating the threat detection to an analysis facility external to the endpoint.

US Pat. No. 10,367,815

PROTECTING SENSITIVE INFORMATION FROM A SECURE DATA STORE

Sophos Limited, Abingdon...

1. A method of protecting stored information, the method comprising:storing a security policy for controlling access by a network endpoint to an encrypted remote data store, the security policy requiring a data store connected to the network endpoint to meet one or more security requirements for identification as a secure data store, the one or more security requirements including a requirement that the data store connected to the network endpoint be encrypted;
receiving an indication at a threat management facility that a first endpoint has access to the encrypted remote data store;
auditing the first endpoint to determine whether a security parameter of a first data store connected to the first endpoint is compliant with the one or more security requirements for identification as a secure data store;
when the security parameter of the first data store is compliant with the one or more security requirements for identification as a secure data store, permitting dissemination of data from the encrypted remote data store to the first endpoint; and
when the security parameter of the first data store is not compliant with at least one of the one or more security requirements, causing the first endpoint to implement an action by the first endpoint to regulate dissemination of data from the encrypted remote data store to the first endpoint.

US Pat. No. 10,558,800

LABELING OBJECTS ON AN ENDPOINT FOR ENCRYPTION MANAGEMENT

Sophos Limited, Abingdon...

1. A computer program product comprising non-transitory computer executable code embodied in a computer readable medium that, when executing on an endpoint, performs the steps of:labeling each of a plurality of processes on an endpoint with a labeling scheme in which a process is either in, wherein the process conforms to a compliance policy administered for the endpoint from a remote threat management facility, or the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes;
labeling each of a plurality of files on the endpoint with a label at a persistent location on the endpoint as either in or out according to a context for each file, thereby providing a plurality of in files and a plurality of out files, wherein the label for at least one of the files is inferred from one of the plurality of processes that accessed the file;
providing conditional access to the in files with a file system that includes an application programming interface for controlling access according to the label, thereby restricting access to the plurality of in files to the plurality of in processes;
changing the label for one of the plurality of processes from in to out in response to an observed action that exposes the process to an object external to the endpoint, thereby providing a relabeled process; and
revoking access through the file system by the relabeled process to the plurality of in files, thereby preventing the relabeled process from opening additional ones of the plurality of in files and preventing the relabeled process from creating a new in file.

US Pat. No. 10,476,894

EVALUATING INSTALLERS AND INSTALLER PAYLOADS

Sophos Limited, Abingdon...

1. A method for evaluating computer objects supplied in an installer for unpacking and execution on a computing device, the method comprising:receiving an installer on an endpoint, the installer containing one or more packed computer objects;
determining a reputation of the installer;
unpacking each of the packed computer objects on the endpoint to provide one or more unpacked computer objects, wherein unpacking includes creating a signature for each of the packed computer objects before unpacking;
associating the reputation of the installer with each of the one or more unpacked computer objects such that the reputation of the installer is inherited as a first reputation of each of the one or more unpacked computer objects;
in a secure environment, analyzing each of the unpacked computer objects to evaluate compliance with a security policy and provide a second reputation, wherein analyzing each of the unpacked computer objects includes looking up information using the signature for one or more of the packed computer objects;
for each of the one or more unpacked computer objects, reconciling the first reputation and the second reputation to a reconciled reputation, the reconciled reputation based on weighting each of the first reputation and the second reputation according to confidence in the respective reputation;
providing a determination regarding whether to permit or deny execution of each of the one or more unpacked computer objects on the endpoint based on the reconciled reputation; and
based on the determination, permitting or denying execution of each of the one or more unpacked computer objects on the endpoint.

US Pat. No. 10,462,662

COMBINED SECURITY AND QOS COORDINATION AMONG DEVICES

Sophos Limited, Abingdon...

2. A computer implemented method to maintain security and wireless network service, the method comprising:establishing, by a firewall, respective secure channels with each of a plurality of wireless access points (WAPs) and each of a plurality of endpoints;
receiving, by the firewall, a plurality of reports communicated over the respective secure channels from the plurality of WAPs and the plurality of endpoints, each of the plurality of reports including security status information and wireless network status information;
deriving network configuration changes based on one or more of the reports, the network configuration changes balancing an assignment of a number of endpoints, including the plurality of endpoints, among the plurality of WAPs based at least in part on an indication of application use determined by a security routine on one of the plurality of endpoints and reported to the firewall using one of the secure channels; and
transmitting commands to at least a subset of the plurality of endpoints, the commands to direct implementation of the network configuration changes.

US Pat. No. 10,454,903

PERIMETER ENCRYPTION

Sophos Limited, Abingdon...

1. A computer program product for managing communications through an electronic mail gateway, the computer program product comprising computer executable code embodied in a non-transitory memory that, when executing on the electronic mail gateway, performs the steps of:storing an encryption key on the electronic mail gateway, the encryption key associated with users of an enterprise network;
receiving an electronic mail communication at the electronic mail gateway, wherein the electronic mail communication includes an outbound communication to a recipient outside of the enterprise network, and wherein the electronic mail communication includes an attachment that is encrypted with the encryption key;
decrypting the attachment at the electronic mail gateway to provide a decrypted attachment;
performing a security scan on the decrypted attachment at the electronic mail gateway;
routing the electronic mail communication from the electronic mail gateway based on a result of the security scan;
wrapping the decrypted attachment in a portable encryption container that contains an encrypted instance of the decrypted attachment and an encrypted instance of a decryption key to decrypt the encrypted instance of the decrypted attachment; and
attaching the portable encryption container to the electronic mail communication in place of the attachment.

US Pat. No. 10,599,616

EMULATING TRANSPARENT FILE ENCRYPTION

Sophos Limited, Abingdon...

1. A method for emulating transparent file encryption, the method comprising:receiving a file operation for a file, the file operation being a user-space file operation specifying a label for a volume and a path specifying a unique location in a synchronized folder of encrypted files on a cloud-based file synchronization service;
creating a secure directory using a secure mount point process at a new location adjacent to the unique location;
marking the unique location as hidden using a file system folder attribute;
using a new label for the new location and renaming the new location to the unique location;
redirecting access to the unique location to the new location, thereby providing a new label for accessing the unique location; and
executing the file operation on the file using the new label to transparently apply a recipe that encrypts the file when the file is moved to the synchronized folder by the file operation and decrypts the file when the file is moved from the synchronized folder by the file operation.

US Pat. No. 10,594,717

CONTEXT-DEPENDENT TIMEOUT FOR REMOTE SECURITY SERVICES

Sophos Limited, Abingdon...

1. A computer program product comprising computer executable code embodied on a non-transitory computer readable medium that, when executing on an endpoint, performs the steps of:intercepting a request for content from a browser executing on the endpoint, the request including a Uniform Resource Locator that identifies a recipient for the request on a data network;
applying a machine learning classifier locally on the endpoint to estimate a risk associated with the Uniform Resource Locator;
transmitting a lookup request for the Uniform Resource Locator from the endpoint to a remote threat management facility;
determining a timeout for a response from the remote threat management facility to the lookup request based on the risk determined by the machine learning classifier, the timeout providing a window of limited duration for receiving the response at the endpoint;
when the response is received within the window provided by the timeout, processing the request for content according to the response from the remote threat management facility; and
when the response is not received within the window provided by the timeout, processing the request for content using a default local rule on the endpoint.

US Pat. No. 10,528,739

BOOT SECURITY

Sophos Limited, Abingdon...

1. A system, comprising:a processor; and
a non-transitory computer readable medium comprising instructions that when executed on the processor cause the processor to perform steps comprising:
sending a request to a first device;
receiving first device information from the first device, the first device information comprising operating context information;
receiving a request from the first device;
in response to the request, sending a challenge to the first device;
in response to the challenge, receiving a first set of boot information from the first device and a cryptographic proof of the challenge, the first set of boot information including a list of boot items;
receiving a first attestation vector from the first device, the first attestation vector comprising one or more platform configuration register (PCR) values and a digital signature on at least one of the one or more PCR values;
verifying the list of boot items based on the first attestation vector;
determining a reputation for one or more boot items in the list of boot items, including determining a reputation for a given one of the one or more boot items based on a pattern of change over time for the given one of the one or more boot items as reported in an attestation for the given one of the one or more boot items from multiple devices; and
generating an alert based on the determined reputation.

US Pat. No. 10,516,531

KEY MANAGEMENT FOR COMPROMISED ENTERPRISE ENDPOINTS

Sophos Limited, Abingdon...

1. A method comprising:labeling processes on an endpoint with a labeling scheme in which the processes are either in processes or out processes, the in processes conforming to a compliance policy administered for the endpoint from a remote threat management facility, and the out processes not conforming to the compliance policy;
for in processes of the endpoint, providing access to encrypted files stored on a remote cloud resource, with access to the encrypted files stored on the remote cloud resource limited to the in processes;
detecting a compromise of the endpoint based on a change of an in process to an out process when the in process falls out of compliance with the compliance policy; and
in response to detecting the compromise, deleting key material cached on the endpoint to prevent decryption, by the endpoint, of the encrypted files stored on the remote cloud resource.

US Pat. No. 10,225,286

USING INDICATIONS OF COMPROMISE FOR REPUTATION BASED NETWORK SECURITY

Sophos Limited, Abingdon...

1. A method comprising:collecting a plurality of indications of compromise from an endpoint, each one of the indications of compromise based upon one or more actions taken by one or more processes executing on the endpoint, and at least one of the plurality of indications of compromise including a category of one or more objects related to the one or more actions and a description of one or more objects related to the one or more actions;
identifying a low-reputation behavior based upon a quantity of other endpoints that have seen the plurality of indications of compromise and a context for the one or more actions on the endpoint;
creating a coloring rule for the low-reputation behavior based upon an occurrence of the plurality of indications of compromise;
receiving the coloring rule at a security facility on the endpoint; and
applying the coloring rule with the security facility to color low reputation objects.

US Pat. No. 10,630,698

METHOD AND SYSTEM FOR NETWORK ACCESS CONTROL BASED ON TRAFFIC MONITORING AND VULNERABILITY DETECTION USING PROCESS RELATED INFORMATION

Sophos Limited, Abingdon...

1. A system for network access control based on traffic monitoring and vulnerability detection using process related information, the system comprising:computer executable code embodied in a non-transitory computer readable medium that, when executing one or more processors provide a plurality of process intercepting units, a pattern matching unit, and an intrusion prevention unit,
a plurality of devices for receiving at least one connection request from a process running on a host, each of the plurality of devices comprising a process intercepting unit of the plurality of process intercepting units configured for extracting the process related information and forwarding information including one or more of process related information, connection information, and network packet information,
the pattern matching unit configured for receiving the information from the process intercepting unit and forwarding the information; and
the intrusion prevention unit configured for receiving the information from the pattern matching unit, the intrusion prevention unit including a processing unit and a database, the database including a plurality of signatures defining a set of rules to detect attacks or intrusive activities on a network that can occur through the process, the plurality of signatures prepared based on information relating to the process, the intrusion prevention unit further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities, establish a verification report based on the known vulnerability, and send the verification report to the pattern matching unit,
wherein the pattern matching unit is further configured to receive the verification report from the intrusion prevention unit, verify whether the verification report is applicable to the process associated with network packet by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database, and send an authorization decision to the process intercepting unit regarding allowing continuing or blocking of the connection request from the process running on the host.

US Pat. No. 10,616,269

USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS

Sophos Limited, Abingdon...

1. A system comprising:an endpoint associated with an enterprise, the endpoint including a computing device comprising a memory and a processor, the endpoint executing a process from a file, and the endpoint configured to evaluate a local reputation of the file based at least in part on a certificate associated with a source of the file;
a gateway associated with the enterprise and coupled in a communicating relationship with the endpoint, the gateway configured to detect the process executing from the file on the endpoint and to request a global reputation of the file from a remote resource, the gateway further configured to enforce a network policy of the enterprise by detecting network traffic from the endpoint in violation of the network policy and providing a violation notification to the remote resource in response to the network traffic; and
a threat management facility associated with the enterprise and coupled in a communicating relationship with the gateway and the endpoint, the threat management facility configured to receive the request from the gateway and to determine a global reputation of the file, the threat management facility further configured to receive the local reputation from the endpoint and, in response to receipt of the violation notification, to respond by determining a remedial action for the file on the endpoint based upon the local reputation evaluated by the endpoint based at least in part on the certificate associated with the source of the file, the global reputation of the file determined by the threat management facility, and the violation notification from the gateway in response to the network traffic from the endpoint in violation of the network policy.

US Pat. No. 10,515,211

USE OF AN APPLICATION CONTROLLER TO MONITOR AND CONTROL SOFTWARE FILE AND APPLICATION ENVIRONMENTS

Sophos Limited, Abingdon...

1. A computer program product for operating an application controller on an endpoint in an enterprise network, the computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:in response to a selection of a file, retrieving a reputation of the file stored in metadata for the file, wherein the reputation includes at least one access and security parameter for the file and wherein the reputation is remotely stored in a database independent of the application controller and accessible by the application controller;
in response to the access and security parameter, selecting a software application with the application controller from a number of software applications on the endpoint for opening the file based on the reputation of the file and a security configuration of the number of software applications, wherein the number of software applications include at least one insecure application for opening the file in an application environment when the file has a good reputation and at least one secure application for opening the file in the application environment when the file has a poor or unknown reputation, and, as compared to opening the file in the application environment with the at least one insecure application, the at least one secure application opens the file in the application environment with more limited access to resources of the application environment;
launching the selected software application to open the file and access the file in accordance with the security configuration for the selected software application;
managing use of the file by the software application with the application controller, wherein the application controller is configured to adjust resources available to the selected software application on the endpoint; and
escalating the selected software application to an insecure application by granting the selected software application access to additional resources of the application environment upon determination that the file is safe and imposing more restrictions on access to resources of the application environment by the selected software application upon determining that the file contains a threat.

US Pat. No. 10,516,682

FORENSIC ANALYSIS OF COMPUTING ACTIVITY

Sophos Limited, Abingdon...

2. A method for forensic analysis for computer processes, the method comprising:instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for one type of the computing objects than for a second type of the computing objects;
detecting a security event associated with one of the computing objects;
in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;
while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event;
traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause; and
remediating one or more of the identified computing objects.

US Pat. No. 10,667,130

COMBINED SECURITY AND QOS COORDINATION AMONG DEVICES

Sophos Limited, Abingdon...

1. A computer-implemented method to provide security and wireless network service, the method comprising:establishing a wireless link between a wireless interface of a wireless access point (WAP) and an endpoint;
exchanging network traffic with the endpoint through the wireless link;
authenticating a security routine executed by a processor of the endpoint;
establishing, through the wireless link and the WAP, and in response to authentication of the security routine, a secure channel that shares the wireless link with the network traffic;
recurrently receiving an indication of a security status the endpoint through at least the secure channel, wherein each indication of the security status comprises at least one of an indication of commencement of execution of an application by a processor of the endpoint and an indication of cessation of execution of the application by the processor of the endpoint;
monitoring performance of the wireless link;
deriving a change to a setting associated with a characteristic of the wireless link based on the performance of the wireless link;
deriving a command based on the security status, wherein the command comprises at least one of a change to the setting to increase a data transfer rate of the wireless link in response to commencement of execution of the application and a change to the setting to decrease the data transfer rate of the wireless link in response to cessation of execution of the application; and
transmitting the command to the endpoint to change the setting through at least the secure channel.

US Pat. No. 10,657,277

BEHAVIORAL-BASED CONTROL OF ACCESS TO ENCRYPTED CONTENT BY A PROCESS

Sophos Limited, Abingdon...

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:encrypting a plurality of files on the endpoint to prevent unauthorized access to the plurality of files;
monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein the process is initially identified as secure, and the process is identified as exposed when the process accesses an object identified as exposed; and
restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.

US Pat. No. 10,652,273

MITIGATION OF ANTI-SANDBOX MALWARE TECHNIQUES

Sophos Limited, Abingdon...

1. A method for configuring a sandbox for malware testing, the method comprising:analyzing, at a threat management facility, at least one digital signature of a software object for a target endpoint to detect a known, trusted software object that can be executed without further analysis, the at least one digital signature verifying an origin of the software object;
when the software object is determined to be trusted, proceeding directly to forwarding the software object from the threat management facility to an endpoint; and
when the software object is determined, based on the digital signature, to be other than trusted, performing, at the threat management facility, the steps of:
sending, to a repository of configuration information of an enterprise, a request for configuration information of the target endpoint for the software object;
receiving, in response to the request, the configuration information of the target endpoint for the software object;
configuring the sandbox to match the configuration information of the target endpoint for the software object, the sandbox instrumented to detect a known anti-sandbox malware component and the sandbox configured to disguise virtualization of the sandbox by mimicking at least one environmental variable of the target endpoint; and
forwarding the software object to the sandbox for execution.

US Pat. No. 10,650,141

MITIGATION OF RETURN-ORIENTED PROGRAMMING ATTACKS

Sophos Limited, Abingdon...

1. A computer program product for mitigating trampoline-based attacks, the computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more processors, performs the steps of:providing a computing device executing an operating system with a user space and a system space;
configuring the computing device to detour one or more function calls for kernel functions to one or more stub locations corresponding to one or more security processes that provide predetermined return addresses for the kernel functions;
constructing an array including ordinals identifying the kernel functions and, for each one of the ordinals, a respective stub location of one of the one or more security processes for one of the kernel functions identified by the given one of the ordinals;
when a call for a memory function of the kernel functions is made from a process executing in the user space into a kernel executing in the system space, detouring the call to one of the security processes;
in the one of the one or more security processes, determining a predicted return address and a predicted ordinal for the call using a lookup in the array;
performing a comparison of the predicted return address and the predicted ordinal from the array to an actual return address and an actual ordinal for a function of the call;
detecting a possible return-oriented programming attack when a mismatch is detected during the comparison; and
returning control to a calling process that initiated the call to the function.

US Pat. No. 10,650,154

PROCESS-LEVEL CONTROL OF ENCRYPTED CONTENT

Sophos Limited, Abingdon...

1. A computer program product for securing an endpoint against malicious activity, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
receiving, from one of a plurality of processes executing on the endpoint, a request to access one of the plurality of files;
decrypting the one of the plurality of files for the one of the plurality of processes with an extension to a file system of the endpoint that responsively applies rules for whether to allow or prohibit access to encrypted files within the file system on a process-by-process basis;
monitoring a security state of the one of the plurality of processes, wherein monitoring the security state of the one of the plurality of processes includes monitoring network traffic associated with the one of the plurality of processes;
if the security state of the one of the plurality of processes becomes a compromised state, performing the steps of maintaining access by the one of the plurality of processes to any open ones of the plurality of files, including the one of the plurality of files, prohibiting access by the one of the plurality of processes to other ones of the plurality of files, and initiating a remediation of the one of the plurality of processes by facilitating a restart of the one of the plurality of processes; and
if the remediation of the one of the plurality of processes is successful, restoring access by the one of the plurality of processes to the plurality of files.

US Pat. No. 10,643,259

SYSTEMS AND METHODS FOR DYNAMIC VENDOR AND VENDOR OUTLET CLASSIFICATION

Sophos Limited, Abingdon...

1. A method for dynamic vendor classification, said method comprising:receiving website content from each website of a plurality of websites at a dynamic vendor classification system, wherein the website content represents at least a portion of each website of the plurality of websites, forming a plurality of website content;
normalizing the plurality of website content based upon at least one of hypertext markup language tags, encoded content, or a visual comparison of screen shots for each one of the plurality of website content, thereby providing normalized content;
analyzing the normalized content using a processor to identify the normalized content as congruent when the normalized content is at least 90% the same, to identify the normalized content as similar when the normalized content is less than 90% the same and is greater than 60% the same, and to identify the normalized content as different when the normalized content is less than 60% the same, thereby providing a plurality of categorized websites categorized by similarity;
storing the plurality of categorized websites, each categorized website having a category of similarity relative to at least one other one of the plurality of categorized websites, in a library, along with sets of rules to be used depending upon the category of similarity;
receiving a request from a customer to access a first website of the plurality of websites at a dynamic vendor classification module of the dynamic vendor classification system;
in response to receiving the request, based on the plurality of categorized websites already stored, determining whether a vendor of the first website is trusted, not trusted, or uncertain using a stored category of similarity of the first website relative to a second website of the plurality of websites, wherein determining whether the vendor of the first website is trusted, not trusted, or uncertain includes using a first set of rules from the sets of rules when the stored category of similarity of the first website relative to the second website indicates that the first website is congruent to the second website and using a second set of rules from the sets of rules when the stored category of similarity of the first website relative to the second website indicates that the first website is similar to the second website, the second set of rules for similar websites including at least one rule for comparing a language and a hosting location; and
when the vendor of the first website is categorized as uncertain, flagging the vendor for monitoring to gather additional information for a trust analysis.

US Pat. No. 10,635,813

METHODS AND APPARATUS FOR USING MACHINE LEARNING ON MULTIPLE FILE FRAGMENTS TO IDENTIFY MALWARE

Sophos Limited, Abingdon...

1. An apparatus for using machine learning on multiple file fragments to identify malware, comprising:a memory; and
a hardware processor of a malware detection device operatively coupled to the memory, the hardware processor configured to receive a file, the hardware processor configured to process at least a portion of the file into a first plurality of fragments, the hardware processor configured to analyze each fragment from the first plurality of fragments using a first machine learning model to identify within each fragment from the first plurality of fragments first information potentially relevant to whether the file is malicious and to define a set of first information including the first information from each fragment from the first plurality of fragments,
the hardware processor configured to select, from the set of first information, the first information most relevant to whether the file is malicious,
the hardware processor configured to process at least the portion of the file into a second plurality of fragments, a number of fragments in the second plurality of fragments being less than a number of fragments in the first plurality of fragments, the hardware processor configured to analyze each fragment from the second plurality of fragments using the first machine learning model to identify within each fragment from the second plurality of fragments second information potentially relevant to whether the file is malicious and to define a set of second information including the second information from each fragment from the second plurality of fragments,
the hardware processor configured to select, from the set of second information, the second information most relevant to whether the file is malicious,
the hardware processor configured to identify the file as malicious by analyzing, using a second machine learning model different from the first machine learning model, the first information most relevant to whether the file is malicious and the second information most relevant to whether the file is malicious, the second machine learning model configured to provide feedback to the first machine learning model based upon the analyzing the first information most relevant to whether the file is malicious and the second information most relevant to whether the file is malicious,
the hardware processor configured to quarantine the file based on identifying the file as malicious.

US Pat. No. 10,628,597

JUST-IN-TIME ENCRYPTION

Sophos Limited, Abingdon...

1. A computer program product for just-in-time encryption of files detected on an endpoint, the computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs the steps of:adding a file system extension to the endpoint, the file system extension providing use of a key to access files whenever a security state of the endpoint is not compromised and withholding use of the key whenever the security state of the endpoint is compromised;
for a plurality of unsecure files existing on the endpoint, initializing encryption of the plurality of unsecure files with a background process using the key when the file system extension is added to the endpoint to provide a plurality of encrypted files;
monitoring the security state of the endpoint;
providing access to the plurality of encrypted files by a process other than the background process executing on the endpoint using the file system extension;
detecting an access, by the process, to a new file not yet encrypted by the background process with the key for secure use on the endpoint;
if the security state of the endpoint is not compromised, encrypting the new file with the background process using the key immediately upon detecting the access by the process to add the new file the plurality of encrypted files; and
if the security state of the endpoint is compromised, deleting the key from the endpoint to prevent access by the process to the plurality of encrypted files, initiating a remediation of the endpoint, and in response to successful remediation of the endpoint, recovering the key to the endpoint from a remote key management system.